HEUR:Trojan.Script.Generic (Kaspersky), Trojan.GenericKD.3601240 (B) (Emsisoft), Trojan.GenericKD.3601240 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7349f66d12698ed782f33e8bd111499d
SHA1: 43290dd1ee73f960e0f1085a088e80759cdcf178
SHA256: 6f1e4460f40b39dd63fb086a723ad8773a7e458b27d54b8558b491d797b806a7
SSDeep: 24576:qK0ylbTfuNNLjm94 eQNipthLVySQPE0eTxKRx27Nx3Ef:qKDMNNLKTeI8j8REug7Nx3C
Size: 1530880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-31 05:28:47
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3160
QZRScAXZAh.exe:3916
CgPZ.exe:1916
The Trojan injects its code into the following process(es):
RegSvcs.exe:2084
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process RegSvcs.exe:2084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5cc55762-44ea-d3b8-0669-a6ac0e4f3302 (57 bytes)
The process %original file name%.exe:3160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QZRScAXZAh.exe (35153 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QZRScAXZAh.exe (0 bytes)
The process QZRScAXZAh.exe:3916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut3765.tmp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xicdcrj (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\CgPZT.au3 (130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\CgPZ.exe (1874 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut3765.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xicdcrj (0 bytes)
The process CgPZ.exe:1916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JAELSKSaFAGf.lnk (846 bytes)
Registry activity
The process RegSvcs.exe:2084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32]
"EnableFileTracing" = "0"
The process %original file name%.exe:3160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
Dropped PE files
| MD5 | File path |
|---|---|
| b06e67f9767e5023892d9698703ad098 | c:\Users\"%CurrentUserName%"\FodCQGqPNUt5uF4K\CgPZ.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3160
QZRScAXZAh.exe:3916
CgPZ.exe:1916 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5cc55762-44ea-d3b8-0669-a6ac0e4f3302 (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QZRScAXZAh.exe (35153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut3765.tmp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xicdcrj (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\CgPZT.au3 (130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\CgPZ.exe (1874 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JAELSKSaFAGf.lnk (846 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 26980 | 27136 | 4.40175 | 22c7cbc7745692002dbdf65a4bc48e63 |
| .data | 32768 | 6796 | 1024 | 2.20139 | 317f8a934ee443eee01c2a315bde9ca1 |
| .idata | 40960 | 4220 | 4608 | 3.49841 | a5d9b0c8d0d0e35bcbb5219dda1a3075 |
| .rsrc | 49152 | 1494116 | 1494528 | 5.16921 | bc79fc206af005110c07a8d5d40d525f |
| .reloc | 1544192 | 2240 | 2560 | 4.41763 | 7772c8e6ff71410862c324630aac5515 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://prosper.kancoway.com/Panel/api | 68.171.217.250 |
| hxxp://selfypay.info/Products/iSpyKelogger/Server/ |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /Products/iSpyKelogger/Server/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: selfypay.info
Content-Length: 122
Expect: 100-continue
Connection: Keep-Alive
HTTP/1.1 100 Continue
....
HTTP/1.1 404 Not FoundDate: Sun, 30 Oct 2016 03:26:36 GMT
Server: Apache
Content-Length: 346
Content-Type: text/html; charset=iso-8859-1"-//IETF//DTD HTML 2.0//EN">.&
lt;head>.404 Not Found.body>.Not Found
.The requested URL /Pr
.&l
oducts/iSpyKelogger/Server/ was not found on this server.
t;p>Additionally, a 404 Not Found.error was encountered while tryin
g to use an ErrorDocument to handle the request..
&g
t;